def test_action(self):

        action = Action()

        # Defaults
        self.assertEqual(action.action, 'allow')
        self.assertEqual(action.scan_detection, 'undefined')

        action.action = 'discard'
        self.assertEqual(action.action, 'discard')
        action.action = 'foo'
        self.assertEqual(action.action, 'foo')
        action.deep_inspection = True
        action.file_filtering = False
        action.dos_protection = True
        action.scan_detection = 'on'
        action.vpn = 'http://1.1.1.1'
        action.mobile_vpn = True

        self.assertTrue(action.deep_inspection)
        self.assertFalse(action.file_filtering)
        self.assertTrue(action.dos_protection)
        self.assertEqual(action.scan_detection, 'on')
        self.assertEqual(action.vpn, 'http://1.1.1.1')
        self.assertTrue(action.mobile_vpn)
        self.assertIsNone(action.user_response)

        self.assertFalse(action.connection_tracking_options.mss_enforced)
        self.assertEqual(action.connection_tracking_options.timeout, -1)
        mini, maxi = action.connection_tracking_options.mss_enforced_min_max
        self.assertEqual(mini, 0)
        self.assertEqual(maxi, 0)

        action.connection_tracking_options.state = 'normal'
        action.connection_tracking_options.timeout = 60
        action.connection_tracking_options.mss_enforced_min_max = (1400, 1450)
        action.connection_tracking_options.mss_enforced = True

        self.assertEqual(action.connection_tracking_options.state, 'normal')
        self.assertEqual(action.connection_tracking_options.timeout, 60)
        mini, maxi = action.connection_tracking_options.mss_enforced_min_max
        self.assertEqual(mini, 1400)
        self.assertEqual(maxi, 1450)
        self.assertTrue(action.connection_tracking_options.mss_enforced)

        o = action()
        for k, v in o.items():
            self.assertEqual(k, 'action')
            self.assertDictEqual(v, action.data)

        action = Action({'foo': 'bar'})
        self.assertDictEqual(action.data, {'foo': 'bar'})
Exemple #2
0
    def add_policy(self):
        """
        If a client AMI was specified when building a new VPC, this will add
        rules to allow inbound access to the AMI. This could be extended to 
        more generically support VPN rules.
        """
        if not self.firewall_policy:
            self.firewall_policy = 'AWS_Default'
            # Policy not specified, use the default, or check if hidden setting was specified
            try:
                FirewallPolicy.create(name='AWS_Default',
                                      template='Firewall Inspection Template')
            except CreatePolicyFailed:
                pass  # Already exists

        policy = FirewallPolicy(self.firewall_policy)
        # Create the access rule for the network

        options = LogOptions()
        options.log_accounting_info_mode = True
        options.log_level = 'stored'
        options.application_logging = 'enforced'
        options.user_logging = 'enforced'

        action = Action()
        action.deep_inspection = True
        action.file_filtering = False

        outbound_rule = policy.search_rule('AWS outbound access rule')
        if not outbound_rule:
            # Generic outbound access rule
            policy.fw_ipv4_access_rules.create(
                name='AWS outbound access rule',
                sources=[Alias('$$ Interface ID 1.net')],
                destinations='any',
                services='any',
                action=action,
                log_options=options)

        if self.aws_ami_ip and self.nat_ports:
            dest_port = self.nat_ports.get('dest_port')
            redirect_port = self.nat_ports.get('redirect_port')

            services = list(
                TCPService.objects.filter(dest_port))  # @UndefinedVariable
            # Ignore services with protocol agents so we skip SSM
            service = next(
                ([service]
                 for service in services if not service.protocol_agent), [])

            if not service:
                service = [
                    TCPService.create(name='aws_tcp{}'.format(dest_port),
                                      min_dst_port=dest_port)
                ]

            # Create the access rule for the client
            policy.fw_ipv4_access_rules.create(
                name=self.name,
                sources='any',
                destinations=[Alias('$$ Interface ID 0.ip')],
                services=service,
                action='allow',
                log_options=options)
            policy.fw_ipv4_nat_rules.create(
                name=self.name,
                sources='any',
                destinations=[Alias('$$ Interface ID 0.ip')],
                services=service,
                static_dst_nat=self.aws_ami_ip,
                static_dst_nat_ports=(dest_port, redirect_port),
                used_on=self.engine.href)